How to Set Access Permissions in Your VDR Strategically
Date: 15 December 2019 Share on Twitter Share on Facebook
Virtual deal rooms (VDRs) have made it easier to negotiate sensitive business deals, prepare for litigation and perform other document-heavy tasks. Rather than requiring participants in the process to travel to a single, secured physical space, a VDR places documents online using cutting-edge data security to protect information from outsiders.
Within the VDR, fine-tuning access is possible in new ways, as well. A VDR’s administrator can control the access and permissions available to each individual user, protecting not only specific files or documents but even specific pages or paragraphs within a single document.
To take full advantage of the access and permissions capabilities of a VDR, users need to understand how these tools work and how they benefit the security of an ongoing negotiation.
Why Control Access?
Incorrectly set access and permission controls are rampant in business.
According to a 2019 Varonis study, 88 percent of companies with more than 1 million shared folders have 100,000 folders, or 10 percent, accessible to any employee, Varonis software engineer Rob Sobers says. Thirty percent of these companies have more than 1,000 “sensitive” folders available to anyone, while 57 percent have folders with inconsistent permissions. Overall, only 3 percent of a company’s folders are protected, Sobers says.
“Depending on the OS and device, there can be dozens of individual granular permissions, along with inheritance issues and group membership considerations that can add up to permission mistakes,” says Roger A. Grimes, a columnist at CSO. “It’s easy for a single security principal (e.g., a user) to get permission to something they shouldn’t have access to.”
These incorrectly set access or permissions parameters offer low-hanging fruit for hackers, who can use them to access information without permission.
And excessive permissions are everywhere. For instance, Grimes says he looks for network folders that allow any logged-on user to edit the folder, as well as folders that allow anyone to read their contents.
“I’ve found this mistake in some of the world’s largest companies,” Grimes says. “In fact, the larger they are, the more likely it is that I’ll find this issue.” It seems that improper access and permission controls are a common problem, and an easy entry point for malicious actors.
4 Important Considerations When Setting Access Permissions
Choosing the right data room software can be difficult. Your team needs a tool that will protect the sensitive information stored within the data room, and they need to know how the VDR’s access and permissions settings work — without needing to become security experts themselves.
Keeping a few key considerations in mind can help you choose the right collaboration software for your needs.
Stay Out of the Clouds
Standard cloud-storage applications are particularly vulnerable to these kind of access and permission vulnerabilities. “The volume of public cloud utilization is growing rapidly, so that inevitably leads to a greater body of sensitive stuff that is potentially at risk,” says Jay Heiser, vice president and cloud security lead at Gartner.
When a deal is particularly sensitive or key information must remain confidential, then, public cloud-based tools like Google Drive and Dropbox may be inadequate both to protect against hackers and to keep your information in one location.
Virtual deal rooms provide the additional permissions, access and protection required to address the vulnerabilities that public cloud storage options don’t.
Many Controls Exist, and They Aren’t Mutually Exclusive
As Google’s best practices for cloud storage note, users should not be required to choose just one type of access control. For instance, a combination of an access control list naming authorized viewers and a signed URL can allow a core team to access certain documents when they need to while a separate party gains access through the signed URL for a one-time task like signing a document.
Keep Your Team From Getting Sloppy
Access controls also prevent data leakage or exfiltration, in which authorized users share files outside the organization. While the intent may be benign, such as a desire to allow easier work access, the result can be that sensitive information lands in the wrong hands.
Tools like audit logs and sharing controls help prevent exfiltration, says Brian Sheehan, vice president of DelCor Technology Services. For instance, audit logs can tell you exactly who viewed or edited a file; sharing controls can prevent documents from being copied, exported or transferred out of the VDR.
Don’t Let Your Staff Become the Weak Point
Not all data breaches occur through digital channels. Social engineering is a hacking tactic that focuses on manipulating human beings to get access to passwords, data or physical structures like servers.
“Social engineering has proven to be a very successful way for a criminal to ‘get inside’ your organization,” says Josh Fruhlinger, writer and editor at CSO. “Once a social engineer has a trusted employee’s password, he can simply log in and snoop around for sensitive data. With an access card or code in order to physically get inside a facility, the criminal can access data, steal assets or even harm people.”
Compromised credentials are involved in 81 percent of hacking-related breaches, according to the 2017 Verizon Data Breach Investigation Report. While credentials can be compromised by hackers breaking through passwords or using other digital means, they are often compromised by social engineering schemes in which users voluntarily hand over — or inadvertently let slip — their credentials.
To defend against such attacks, include education on social engineering as part of your team’s security training. When your team knows what to look for, they’re more likely to recognize an attempt to steal their credentials and prevent it.
Also, look for VDRs that offer multi-step authentication tools or other means to challenge users to prove they are who their username and password claim they are. Zero-trust identity security, for instance, uses multiple checkpoints to verify a user’s legitimacy before granting access, says Ben Canner, an enterprise technology writer at Solutions Review.
Choosing the Right VDR for Your Security and Privacy Needs
Choosing the right VDR includes choosing a tool that offers the access and permissions restrictions your teams need.
Keep It Simple to Use
Time is often of the essence in sensitive negotiations, so a VDR that requires your staff to learn an entirely unfamiliar piece of software from scratch could pose an unacceptable hurdle.
Instead, look for tools that allow for drag-and-drop file uploading and other familiar means of interaction while also protecting data security and privacy. Tools that integrate with file-viewing or file-sharing software like Windows File Explorer or commonly used browsers can simplify file management without sacrificing necessary protections, says Yuemin Lu, program manager for Microsoft Azure.
Consider an RBAC Approach
RBAC, or role-based access control, gives users access to data based on their role within an organization. RBAC analyzes each user’s data access needs based on their job duties, then assigns access accordingly.
Many organizations avoid RBAC because analyzing each participant’s role and access can sound intimidating or time-consuming, says Robert C. Covington, a contributor at CSO. Yet controlling access and preventing breaches is much simpler once the system is in place.
“With the proper implementation of RBAC, the assignment of access rights becomes systematic and repeatable,” Covington says. “Further, it is much easier to audit user rights, and to correct any issues identified.”
Imagine, for example, an RBAC system used to set VDR access and permissions during a large-scale merger. Under this system, attorneys responsible for compliance issues may have one set of access permissions, while financial auditors may have another. These permissions may overlap on certain key documents, but neither group has access to information they do not need. That’s how the risk of a data breach is mitigated.
Access and permissions controls lie at the heart of a robust VDR that protects important data while still allowing every member of the team to complete the tasks they’re assigned. By understanding key considerations behind access and permissions, your team can choose the right virtual deal room software to get the job done.